The Final Rule consists of four separate rule modifications:
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act and certain other modifications to improve the HIPAA Rule
- Makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
- Strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
- Prohibits the sale of PHI without individual authorization
- Expands individuals’ rights to receive electronic copies of their health information
- Restricts disclosures to a health plan concerning treatment when the individual has paid for the treatment entirely out-of-pocket
- Requires modifications to a covered entity’s notice of privacy practices (the modified notices must then be redistributed)
- Modifies the individual authorization and other requirements:
- to facilitate research and disclosure of child immunization proof to schools
- to enable access to decedent information by family members or others
- Provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect
- Adopts changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
- Four tiers of increasing penalty amounts that correspond to the levels of culpability associated with the violation
- Final Rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act
- Final rule modifying the HIPAA Privacy Rule as required by GINA
- Prohibits most health plans from using or disclosing genetic information for underwriting purposes